Results 1 to 9 of 9

Thread: tracing IP

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Posts
    6

    tracing IP

    We have a computer that is get a ton of failed log in attempts. I have the ip of the person that is trying to log in. I would like to find out more about where it is coming from. I i did a whois lookup but it didn't really help and I did a trace route but that didn't help.

    How do i find out where/who it is?

  2. #2
    Member
    Join Date
    Apr 2006
    Posts
    66
    did the whois come up with anything of use?

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Try this site. See if the hostname will give you any clues:

    http://www.hcidata.info/host2ip.htm
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  4. #4
    Junior Member
    Join Date
    Oct 2009
    Posts
    6
    that was better then the whois site. it said it was from China which is not what arin said. http://ws.arin.net/whois/ said the country is AU. Is there anything I can do other then block that port on the firewall. I am guessing its just a script based on the random names they are trying to log in with.

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Is it SSH? I have heard that a lot of SSH bruteforce attacks are coming from Chinese IPs. Now, whether or not the attacks are actually originating there is another issue.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Member
    Join Date
    Jul 2009
    Posts
    45
    is it a service that is required to be open to everyone? eg. if you're in the USA, and its for employees to do remote desktop, then you could block foreign ip's to that port (set of ports) if its supposed to be open for people to connect to, then your only real option is to block individual ip's that become abusive. Alternatively you can work with IDS & IPS on your perimeter to have them stopped at the edges based on their actions. You would set reasonable limits.. 5 attempts in a short period of time might be ok, but 10 in that same time frame would indicate attack. etc..

  7. #7
    Banned
    Join Date
    Jan 2008
    Posts
    605
    You can just setup the event viewer to not keep a log everytime worms grind services or when users turns on the computer and forget their login details.

  8. #8
    Junior Member
    Join Date
    Oct 2009
    Posts
    6
    yup its ssh attempts. thanks for the help everyone

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Can you configure the firewall to simply block that IP address?

    Regards,

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Similar Threads

  1. Tracing the URLs?
    By RITESH GAUR in forum Newbie Security Questions
    Replies: 18
    Last Post: April 30th, 2006, 11:52 AM
  2. Subnets and Cable Tracing
    By tonybradley in forum Miscellaneous Security Discussions
    Replies: 2
    Last Post: April 20th, 2005, 05:13 AM
  3. Web Tracing, is this possible?
    By Owmen in forum Web Development
    Replies: 2
    Last Post: September 6th, 2004, 06:35 PM
  4. ISP and tracing
    By ne0gen in forum Newbie Security Questions
    Replies: 7
    Last Post: April 6th, 2004, 09:34 PM
  5. Network Security Misconceptions: Chatper 2: Tracing
    By mutt in forum The Security Tutorials Forum
    Replies: 3
    Last Post: December 3rd, 2001, 07:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •